Security bug in IE 5.5+

I thought this might worth attention of a few people. It seems that IE has a huge security issue with cookies saved into it. With a simple code you can extract information from those cookie, although the cookie has been set to show information only on the sites that it was created in. The problem was found by Online Solutions Oy.

The thing is that there is no guarentees that this bug wouldn't be found in IE 5 or in older versions too. Personally this puts me to inspect my own Authentication Class with a magnifying glass. This also raises a new motto: don't trust other people's security, trust your own...

I notice that as soon as the thread started the second response was anti microsoft. One thing I would raise about cookies is that as developers arn't we encouraged not to use cookies to hold sensitive data in them? I know my supervisor on my industrial year at uni made dam sure we used sessions instead which are securor.

You say that it still surprises you that Microsoft lets bugs through in its code, true. How many people who code and tested there site throughly have passed it bug free only to have someone ome back an hour later with a great big bug in there that you hadn't foudnd? Alos Microsoft's size plays against them, they have more software used by more people on the market than anyone else so of course people are going to try and show that Microsoft is bad.

Right my rant's over. Just to say I ain't anti nor pro Microsoft I just think that people automatically go anti microsoft as soon as they hear the name.

Humble Seeker

The longest journey starts with the smallest step, and knowledge is the longest journey of all.

Originally posted by Humble Seeker I notice that as soon as the thread started the second response was anti microsoft. One thing I would raise about cookies is that as developers arn't we encouraged not to use cookies to hold sensitive data in them? I know my supervisor on my industrial year at uni made dam sure we used sessions instead which are securor.[clip].

Yes, that was my post and it was anti-Microsoft. I am sick and tired of their lack of quality and security. They own the market almost entirely due to their marginal business practices. Customers are not their concern, selling them new versions of Office every year because they refuse to be forward compatible is their primary concern. This sickens me.

I've been developing software commercially or professionally for the past 20 years, and I've never seen as much garbage come out of one development house in my life. I have junior programmers who are more professional in their coding practices than what I see coming out of the largest softare house in the world.

Microsoft is not interested in quality software, they are solely interested in their marketing plans.

I have intimate past involvement with the processes used in Redmond, and I can tell you that product security and product quality are second to the marketing plan - which drives the development plan. There is no excuse for it. They don't need to ship poor quality, buggy, insecure software to continue to own the market. The fact that they own the market makes them continue to ship junk as software.

Did you know that they have the largest automated testing facility in the world, and that it's virtually impossible to get time in the lab for testing because of their poor internal quality control? How many times do you need to be exposed by a buffer overflow problem before you solve it once and for all in your core internal library routines that deal with I/O? For most companies of this size, that would be once. For Microsoft, the development practices that learn from past mistakes and build quailty code on top of quality code do not exist.

As for storing sensitive information in cookies, what can you store now in a cookie that is not sensitive - knowing that I can harvest all your cookie data when you visit my website. What's NOT sensitive that you would even bother to store? Store a key to a session ID on a server that expires in 10 minutes. Anything else leaves you open to attack.

Humble Seeker: As much I'd liked to agree with you, I can't. I was personally a fan of Microsoft. I still like their internet browser more than any other browser. But we have to face the facts here. What thewitt said was to the core of the fungus.

About what to store in the cookie that's sensitive, hasn't it been a policy to store user information to a cookie so you can display (for example) the "right" banners for that user. What would such a cookie contain? Anybody can do that, but only the wisest store only an DB or session id to the cookie, so you can quickly check the user from your databases. But lets take a look at a Auth class. I have one, it's pretty secure, atm.

I think it's now up to us, developers to be "smarter" than the software houses and produce products that doesn't fall into pitfalls, created my the big software houses. I managed to make a small measure that protects your password and username, even if stored into a cookie. Simple, crypt it. You make a string, from (for example) names, countries, ids, and basicly anything you have about the user, and then just crypt that. It would be almost impossible for crackers to know what strings you used to create the encrypted word.

Anyway, thewitt talked about smart things about smart developers. I agree with him and support such policies, although I am only a low web developer. I think the largest software house in the world should be able to do that too...

Security patch from Microsoft

Okei people,

MS finally published a patch for us all IE users to update our browser to more secure. This should fix the security bug in the cookie that anybody can read your cookie, regardless of where you surf. But developers should stay alert, there will be also people who don't have this patch. So lets try keep our scripts secure...